Mobile

FTC Settlement: HTC Must Patch Security Vulnerabilities

HTC America has been ordered to develop and release software patches to address widespread security vulnerabilities that have potentially affected millions of HTC devices as part of a settlement deal announced by the Federal Trade Commission Friday.

As included in the terms of the settlement, the phone manufacturer will be subject to independent security assessments every other year for the next 20 years. HTC is additionally required to start a program that will address security risks during the hardware development process.

HTC said in a statement that it has addressed several of the security flaws noted by the FTC in its complaint and is working on fixes for those that remain unaddressed.

"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data," said HTC spokesperson Sally Julien in a statement about the settlement. "Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the US released after December 2010. We're working to rollout the remaining software updates now and recommend customers download them once available."

The FTC's decision can be interpreted as a signal to other phone manufacturers that the commission expects them to pay careful attention to consumer security and patch flaws as close to immediately upon their discovery as possible.

Several issues were at the heart of the FTC's complaint against HTC: Permission re-delegation, the use of unsecured manufacturer-provided application markets and vulnerabilities in communication mechanisms used by HTC phones.

Permission re-delegation occurs when a user grants one application access to certain information, then another application uses that first application's approval to access data without the user's direct consent. The FTC found that HTC failed to address this problem in custom-built preinstalled applications on several devices, giving third-party apps the ability to record audio, access geolocation data and send text messages without users' permission.

The FTC also found that HTC included on its devices a pre-installed custom app store that allowed users to download apps outside of the Android Market/Google Play ecosystem. The custom HTC app, however, "failed to include appropriate permission check code to protect this pre-installed application from exploitation," per the FTC. Thus, third-party apps downloaded via HTC's custom app could sneak other software onto users' phones unbeknownst to the user.

Two "insecure communications mechanisms," as the FTC calls them, are also involved with the settlement: HTC Loggers and Carrier IQ.

HTC Loggers, discovered by researchers in October of 2011, was a security flaw that allowed third-party app developers to intercept users' sensitive data transmissions, including text messages, financial account passwords or geolocation data, from users' phones without their knowledge or consent. HTC quickly admitted the flaw and got to work on a fix.

Carrier IQ, meanwhile, was software embedded on some HTC phones at the behest of wireless providers, who used it to monitor potential problems on their networks. However, researchers discovered in December of 2011 that data picked up by Carrier IQ could be intercepted by third-party apps and that vulnerabilities in Carrier IQ could be manipulated to cause a phone to send text messages without users' permission. Several unofficial solutions for blocking or removing it from customers' phones were discovered soon after Carrier IQ came to light.

What responsibility do you think phone manufacturers should have to patch security flaws? Share your thoughts in the comments.

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.